LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-02-2021, 12:56 PM   #1
gotaquestion
LQ Newbie
 
Registered: May 2021
Posts: 2

Rep: Reputation: Disabled
iptables rule to allow DNS traffic on client


Iím struggling to come up with an iptables rule(s) to allow DNS traffic below from a client machine to my private DNS server on the same network. Any help is very much appreciated.

DNS server IP address: a.b.c.100
Client IP address: a.b.c.200

The message captured in clientís /var/log/messages after all the rules were processed :
Code:
IN= OUT=lo SRC=a.b.c.200 DST=a.b.c.200 LEN=106 TOS=0x00 PREC=0xC0 TTL=64 ID=57831 PROTO=ICMP TYPE=3 CODE=1 [SRC=a.b.c.200 DST=a.b.c.100 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=3110 DF PROTO=UDP SPT=47963 DPT=53 LEN=58 ]
My default chain policies:
Code:
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
Since the default for OUTPUT chain is Ďacceptí, I canít wrap my head around whatís missing.
DNS server is not an issue, it works well with all other clients.

firewalld is disabled. Iím running iptables instead.
iptables -S output (after masking, and stripping down unrelated lines):

Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -d 224.0.0.0/4 -p igmp -j DROP
-A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -i enp1s0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s a.b.c.200/32 -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j DROP
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -p udp -m udp --sport 5353 -j ACCEPT
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d a.b.c.200/32 -i enp1s0 -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -d a.b.c.200/32 -i enp1s0 -p udp -m udp --sport 123 -m comment --comment ntp -j ACCEPT
-A INPUT -j LOG --log-prefix "** iptables-INP ** "
-A FORWARD -p tcp -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j LOG --log-prefix "** iptables-FWD ** "
-A OUTPUT -d 224.0.0.0/4 -p igmp -j DROP
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d a.b.c.100/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d a.b.c.100/32 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -p udp -m udp --dport 123 -m conntrack --ctstate NEW -m comment --comment ntp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "** iptables-OUT ** "
Thanks
 
Old 05-03-2021, 09:46 AM   #2
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 846

Rep: Reputation: Disabled
If this is homework, it's not going to pass. In case you did write those rules on your own, OP:
I'd make a rule on client to accept input from server:53, and accept output to server:53 (if the server responds on port 53).
Can't reliably filter by client sport in output or client dport in input since those might be random ports.
Note that I post only to answer the title. Those rules are not something I'd try and fix, it'd be faster to rewrite if you want my honest opinion.

And another couple of things, if you search "-o" you'll see output interface is unspecified.
When/if interface name changes, any rule with enp1s0 becomes useless, so you must then manually replace all instances of enp1s0,
Might be faster for you to write something like this so you only replace one line when/if interface or ip address changes:
Code:
IF0=enp1s0
SERV0=a.b.c.100
CLI0=a.b.c.200
-A INPUT -i $IF0 -s $SERV0 -d $CLI0 --sport 53 -j ACCEPT
-A OUTPUT -o $IF0 -s $CLI0 -d $SERV0 --dport 53 -j ACCEPT
Everyone's got different style I guess, but it'll be more readable that way.

Last edited by elcore; 05-03-2021 at 12:34 PM. Reason: more info
 
Old 05-03-2021, 11:42 PM   #3
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,566
Blog Entries: 3

Rep: Reputation: 2843Reputation: 2843Reputation: 2843Reputation: 2843Reputation: 2843Reputation: 2843Reputation: 2843Reputation: 2843Reputation: 2843Reputation: 2843Reputation: 2843
Quote:
Originally Posted by elcore View Post
Everyone's got different style I guess, but it'll be more readable that way.
Also, it'd be much easier to work through using the current tool, nftables, instead of the deprecated tool, iptables. You can even define variables within nftables.
 
Old 05-04-2021, 02:17 AM   #4
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 846

Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Also, it'd be much easier to work through using the current tool, nftables, instead of the deprecated tool, iptables. You can even define variables within nftables.
Well, that is something I'll have to do at some point before 2024, among other things.
But I'm just taking care of old computers now, with long term kernels, so iptables was good enough for me.

And there's one more thing I've neglected to mention, because I was in a hurry yesterday.
Planned to make it a multiport match to save 2 lines, but completely forgot about it later and omitted a protocol match as well.
 
Old 05-04-2021, 08:03 PM   #5
gotaquestion
LQ Newbie
 
Registered: May 2021
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks folks for all the suggestions. I figured the whole issue stems from my vpn configuration. For some reason dns traffic is directed to some odd 127.0.0.53 address, instead of my dns server. So I'll have to look into that first.

Last edited by gotaquestion; 05-05-2021 at 08:02 AM.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables - Rule Forwarding Traffic From VPN to Specifically Targeting an Interface in another VPN Tunnel endtimes Linux - Networking 4 08-16-2017 08:40 PM
firewalld and pptp - How to allow tcp traffic? (icmp traffic works) Mark L. Wise Linux - Networking 1 06-21-2017 01:50 PM
iptables rule to allow only one IP to connect papaLou Linux - Security 5 11-09-2011 12:56 PM
iptables: rule with RETURN target just after a rule with ACCEPT target Nerox Linux - Networking 6 09-04-2011 03:33 PM
iptables Rule to Block all LAN traffic mrant Linux - Networking 11 02-28-2010 01:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration